Skip to content

Commit

Permalink
Add OpenVPN to CI (#1705)
Browse files Browse the repository at this point in the history
### Description of changes: 
1. Added patch for TLS1_PRF to use alternative codepath in OpenVPN (for
versions <= 2.6.x)
2. integration script and workflow for Github CI

### Call-outs:
- We anchor to tip of the minor version 2.6.x. We can not support
OpenVPN versions > 2.6 as tip of main has removed the alternate codepath
for TLS1_PRF that we currently rely on. This change should be pulled
into the next minor version of OpenVPN and will break AWS-LC
compatibility.
- Management interface is disabled when building openVPN, this will be
changed in a later PR once we add in support.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
  • Loading branch information
smittals2 authored Jul 25, 2024
1 parent b7d7a99 commit fc14c55
Show file tree
Hide file tree
Showing 4 changed files with 129 additions and 27 deletions.
15 changes: 15 additions & 0 deletions .github/workflows/integrations.yml
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,21 @@ jobs:
- name: Run strongswan build
run: |
./tests/ci/integration/run_strongswan_integration.sh
openvpn:
if: github.repository_owner == 'aws'
runs-on: ubuntu-latest
steps:
- name: Install OS Dependencies
run: |
sudo apt-get update
sudo apt-get -y --no-install-recommends install \
cmake gcc ninja-build golang libnl-3-dev libnl-genl-3-dev \
libcap-ng-dev liblz4-dev liblzo2-dev libpam-dev libcmocka-dev \
python3-docutils
- uses: actions/checkout@v4
- name: Run openvpn build
run: |
./tests/ci/integration/run_openvpn_integration.sh
libevent:
if: github.repository_owner == 'aws'
runs-on: ubuntu-latest
Expand Down
23 changes: 0 additions & 23 deletions tests/ci/integration/openvpn_patch/aws-lc-openvpn-cert.patch

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,8 +1,17 @@
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 50683b67..eef80d54 100644
index fbc95ff7..e174ed76 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -1460,7 +1460,12 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
@@ -1398,7 +1398,7 @@ memcmp_constant_time(const void *a, const void *b, size_t size)
return CRYPTO_memcmp(a, b, size);
}

-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_AWSLC)
bool
ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
int secret_len, uint8_t *output, int output_len)
@@ -1478,7 +1478,12 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
int ret = false;

chunk = EVP_MD_size(md);
Expand All @@ -29,10 +38,29 @@ index c9fa7196..a48ef391 100644
#endif

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 4383e981..bd2039d3 100644
index 2595f878..cf99c3ec 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2314,7 +2314,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
@@ -1658,8 +1658,10 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
}

+ int cnum;
if (tls_server)
{
+ cnum = sk_X509_NAME_num(cert_names);
SSL_CTX_set_client_CA_list(ctx->ctx, cert_names);
}

@@ -1672,7 +1674,6 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,

if (tls_server)
{
- int cnum = sk_X509_NAME_num(cert_names);
if (cnum != added)
{
crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d "
@@ -2234,7 +2235,7 @@ show_available_tls_ciphers_list(const char *cipher_list,
crypto_msg(M_FATAL, "Cannot create SSL object");
}

Expand Down
82 changes: 82 additions & 0 deletions tests/ci/integration/run_openvpn_integration.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
#!/usr/bin/env bash
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0 OR ISC

set -exu

source tests/ci/common_posix_setup.sh

# Set up environment.

# SYS_ROOT
# - SRC_ROOT(aws-lc)
# - SCRATCH_FOLDER
# - OPENVPN_SRC_FOLDER
# - AWS_LC_BUILD_FOLDER
# - AWS_LC_INSTALL_FOLDER

# Assumes script is executed from the root of aws-lc directory
SCRATCH_FOLDER="${SRC_ROOT}/OPENVPN_BUILD_ROOT"
OPENVPN_SRC_FOLDER="${SCRATCH_FOLDER}/openvpn"
OPENVPN_BUILD_PREFIX="${OPENVPN_SRC_FOLDER}/build/install"
OPENVPN_BUILD_EPREFIX="${OPENVPN_SRC_FOLDER}/build/exec-install"
OPENVPN_PATCH_BUILD_FOLDER="${SRC_ROOT}/tests/ci/integration/openvpn_patch"

AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build"
AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install"


mkdir -p ${SCRATCH_FOLDER}
rm -rf "${SCRATCH_FOLDER:?}"/*
cd ${SCRATCH_FOLDER}

function openvpn_build() {
autoreconf -ivf

OPENSSL_CFLAGS="-I/${AWS_LC_INSTALL_FOLDER}/include" \
OPENSSL_LIBS="-L/${AWS_LC_INSTALL_FOLDER}/lib -lssl -lcrypto" \
./configure \
--prefix="$OPENVPN_BUILD_PREFIX" \
--exec-prefix="$OPENVPN_BUILD_EPREFIX" \
--with-crypto-library=openssl \
--with-openssl-engine=no \
--disable-management

make -j install

export LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib"

local openvpn_executable="${OPENVPN_SRC_FOLDER}/build/exec-install/sbin/openvpn"
ldd ${openvpn_executable} \
| grep "${AWS_LC_INSTALL_FOLDER}/lib/libcrypto.so" || exit 1
}

# TODO: Remove this when we make an upstream contribution.
function openvpn_patch_build() {
for patchfile in $(find -L "${OPENVPN_PATCH_BUILD_FOLDER}" -type f -name '*.patch'); do
echo "Apply patch $patchfile..."
patch -p1 --quiet -i "$patchfile"
done
}

function openvpn_run_tests() {
# Explicitly running as sudo and passing in LD_LIBRARY_PATH as some OpenVPN
# tests run as sudo and LD_LIBRARY_PATH doesn't get inherited.
sudo LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib" make check
}

git clone https://github.com/OpenVPN/openvpn.git ${OPENVPN_SRC_FOLDER}

# anchoring to tip of minor release 2.6.x for OpenVPN, currently not compatible
# with tip of main
cd ${OPENVPN_SRC_FOLDER} && git checkout release/2.6
mkdir -p ${AWS_LC_BUILD_FOLDER} ${AWS_LC_INSTALL_FOLDER}
ls

aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=Debug -DBUILD_SHARED_LIBS=1

# Build openvpn from source.
pushd ${OPENVPN_SRC_FOLDER}
openvpn_patch_build
openvpn_build
openvpn_run_tests

0 comments on commit fc14c55

Please sign in to comment.